Inside Security (May 15th, 2018)

Today’s moral is short and sweet: don’t run outdated software, because someone will target your servers from across the world and attempt to run malware on them. The stories on GranCrab and Rail Europe are cases in point.

I want to take a moment and thank one of our sponsors by pointing out some recent content you might be interested in. Endgame, which sells endpoint protection tools, has created EMBER, a dataset of more than a million portable executable hashes that were scanned by VirusTotal during 2017. It includes metadata, but not the PE files themselves, so researchers can test their machine learning techniques against a stable benchmark. They have a lot more useful stuff on their blog, check them out.

An almost-weekly 30-minute podcast that is now at more than 100 episodes is worth listening to. Run by Daniel Miessler, you need to subscribe to his email list to get the show notes. The latest episode from early April quickly runs through the news about Facebook’s lack of privacy, cloud misconfigurations, the dangers of cut and pasting invisible text, and the Panera breach.

--David Strom, editor of Inside Security

Yesterday a major storm was created with the release of a new report about email encryption issues. The amount of bad reporting was immense, with most reporters missing the fact that there was nothing wrong with the PGP or S/MIME protocols themselves, only poor implementations – some of which have been around for more than a decade. Called Efail, it starts with this research paper and website. The researchers did a poor job coordinating disclosure too. Basically, if you use HTML email to read your email – which if you are concerned about privacy you shouldn’t be doing in the first place – certain email clients combined with plug-ins for PGP or S/MIME will expose encrypted data to a hacker, if the hacker has access to your email stream. That is a big if. The EFF weighed in with some very confusing (and in some cases alarmist) suggestions, which is unusual since they are level-headed most of the time on technical issues. The best report is from Steve Ragan at CSOonline, who documents the disclosures and fixes in this post. Don’t stop using email encryption if you are one of the few that actually use it (see the Tweeted and very pithy comments from Lesley Carhart below). Do update your email client to the latest version, or use Protonmail or some other software that is rock solid. And do turn off HTML rendering in your email client too.

Last month, cryptomining malware was again in the top malware spot, according to these researchers. Now criminals are targeting unpatched Windows Servers and Web Logic installations and using them to run the mining malware. Both servers have large proportions of unpatched systems across the world, even though the patches have been available for months. – CHECKPOINT BLOG

My colleague and dear friend Ed Tittel has examined all the 270-plus Windows commands published last week by Microsoft. He was looked at commands that work in the plain DOS CMD window as well as PowerShell, or that don’t work in Windows 10. This is the first part of his experiments.—IT KNOWLEDGE EXCHANGE

A newly discovered evasive DDoS amplification attack method is in the wild, according to researchers. The attack leverages Universal Plug and Play, which is commonly used by many IoT devices for network configuration tasks. The post shows the history of UPnP exploits of all kinds, and describes this new attack method that uses non-standard IP ports to collect amplifications. – IMPERVA BLOG

Rail Europe has revealed a breach of credit cards and debit cards. Hackers put credit card-skimming malware on its website between late-November 2017 and mid-February 2018. The company, which sells rail passes to Americans, has rebuilt its systems and notified consumers via this letter. Users of the site should change any shared passwords and qualify for free credit monitoring. -- ZDNET

David Rotaro is a California teen who phished his East Bay area school’s student information system to change his and others’ grades. He was arrested on 14 felony counts. Police obtained a search warrant that eventually led them to Rotaro’s home, where they found evidence of the email attacks. He is awaiting a court date. -- ENGADGET

An analysis of the GandCrab ransomware is available here. The post shows how hard it is to stop malware from infesting websites, especially those running outdated software versions and who have admin pages that are publicly exposed to the Internet (such as the site shown here). It starts off with a phished and phony malware-ridden order inquiry document. -- TALOS BLOG

An analysis of the top 100 law firms worldwide by revenue revealed 62 percent of them fail to meet the minimum level of email authentication to protect staff and clients against phishing attacks. These firms weren’t running DMARC, and even among those implementing this protocol only had three percent using reject policies. The worse news: law firms are among the best at adopting DMARC among various industries, -- 250OK BLOG

Thieves siphoned hundreds of millions of pesos out of Mexican banks by creating phantom orders that wired funds to bogus accounts and promptly withdrew the money. As many as five of Mexico’s largest banks may have been targeted. Given its scale, there is some suggestion of cyberfraud. -- REUTERS

You should read this report that examines the specifics of an insider threat. There are three typical actors (a purposeful insider, a normal employee who makes a simple mistake, and an imposter using stolen credentials). Some of the warning signs are downloading substantial data, multiple requests for resources that are outside someone’s job function, and emailing sensitive data externally. – VARONIS BLOG

An analysis of the GandCrab ransomware is available here. The post shows how hard it is to stop malware from infesting websites, especially those running outdated software versions and who have admin pages that are publicly exposed to the Internet (such as the site shown here). It starts off with a phished and phony malware-ridden order inquiry document. -- TALOS BLOG